9/12/22

1 Information Security Management

INFO123 2022S2
Dr. Stephen Wingreen
2 Objectives
After completing this chapter, you will be able to:
Explain why computer incidents are so prevalent
Identify and briefly describe the types of computer exploits and their
impact
Describe the earmarks of a strong security program
Identify specific measures used to prevent computer crime
Outline actions that must be taken in the event of a successful
security intrusion
3 Why security is a problem
—Security is a problem because doing business requires open
systems.
—A system may be secured very effectively, if nobody has access
rights, or privileges to use it.
—Open systems, by definition, pose a greater threat because of their
openness.
—A proper balance must be sought between openness and security.
4 Why security is a problem
—The need for “security” presupposes that there is a resource, or
something of value, that needs to be protected.
—It’s only a resource, if someone’s allowed to use it.
—What use is security, if there are no resources to secure?
Conversely, securing a resource makes it scarce, and therefore
more costly.
—This is a very strong argument in support of the notion that value is
derived from the usage of resources, rather than the securing of
them.
5 Value Revisited
—Does a thing have intrinsic value? That is, does it have value
regardless of whether or not anyone thinks it’s valuable, or has a
use for it?
—Or, does a thing only have value if someone believes it is valuable,
or has a use for it?
—Does securing a resource make it more or less valuable?
—Example: did the response to coronavirus cause more damage
and loss than the virus itself, if it were left “unsecured”?

7 1
 —Example: did the response to coronavirus cause more damage
and loss than the virus itself, if it were left “unsecured”?
—To a great extent, what you believe will determine whether, and
how to secure something.
6 The Threat Landscape
7 Why Computer Incidents Are So Prevalent
—Increasing Complexity Increases Vulnerability
—Cloud computing, networks, computers, mobile devices,
virtualization, OS applications, Web sites, switches, routers, and
gateways are interconnected and driven by millions of lines of
code
—Higher Computer User Expectations
—Computer help desks are under intense pressure to respond very
quickly to users’ questions
—Expanding and Changing Systems Introduce New Risks
—It is difficult for IT organizations to keep up with the pace of
technological change, successfully perform an ongoing
assessment of new security risks, and implement approaches for
dealing with them

8 Why Computer Incidents Are So Prevalent

—Increased Prevalence of Bring Your Own Device Policies
—Bring your own device (BYOD): a business policy that permits
(encourages) employees to use their own mobile devices to
access company computing resources and applications
—BYOD makes it difficult for IT organizations to adequately
safeguard additional portable devices with various OSs and
applications
—Growing Reliance on Commercial Software with Known
Vulnerabilities
—An exploit is an attack on an information system that takes
advantage of a particular system vulnerability
—Often this attack is due to poor system design or implementation
—Users should download and install patches for known fixes to
software vulnerabilities
—Any delay in doing so exposes the user to a potential security
breach
9 Why Computer Incidents Are So Prevalent
—Nation-state surveillance and intrusion
—Included in this category are instances of nation-states
collaborating with private corporations
9

—Included in this category are instances of nation-states

collaborating with private corporations
—Whistleblowers
—William Binney (2002) – NSA whistleblower
—Edward Snowden (2013) – NSA Contractor
—Wikileaks (2017) – CIA hacking
—Highlights
—Mass surveillance of law-abiding citizens
—Paying technology companies *not* to fix their products
—Cyberwarfare
—Warrantless searches
—Nation-states hire private corporations to do things that are
illegal if done by the State, but ok for private corporations.
—And, perhaps the most devious of them all: “CIA secretly owned
world's top encryption supplier, read enemy and ally messages
for decades”
—

10 Why Computer Incidents Are So Prevalent

11 Why Computer Incidents Are So Prevalent
—Increasing Sophistication of Those Who Would Do Harm
—Today’s computer menace is organized and may be part of an
organized group that has an agenda and targets specific
organizations and Web sites

12 Types of Exploits
13 Types of Exploits
—Common attacks include:
—Ransomware
—Viruses
—Worms
—Trojan horses
—Blended threat
—Spam
—Distributed denial-of-service attacks
—Rootkits
—Advanced persistent threat
—Phishing, spear-phishing, smishing and vishing
—Identity theft
—Cyberespionage and cyberterrorism
14
 —Identity theft
—Cyberespionage and cyberterrorism
14 Types of Exploits
—Ransomware
—Malware that stops you from using your computer or accessing
your data until you meet certain demands such as paying a
ransom or sending photos to the attacker
—Viruses
—A piece of programming code (usually disguised as something
else) that causes a computer to behave in an unexpected and
undesirable manner
—Spread to other machines when a computer user shares an
infected file or sends an email with a virus-infected attachment
—Worms
—A harmful program that resides in the active memory of the
computer and duplicates itself
—Can propagate without human intervention
15 Types of Exploits
—Trojan Horses
—A seemingly harmless program in which malicious code is hidden
—A victim on the receiving end is usually tricked into opening it
because it appears to be useful software from a legitimate source
—The program’s harmful payload might be designed to enable the
attacker to destroy hard drives, corrupt files, control the
computer remotely, launch attacks against other computers,
steal passwords or spy on users
—Often creates a “backdoor” on a computer that enables an
attacker to gain future access
—Logic bomb
—A type of Trojan horse that executes when it is triggered by a
specific event
16 Types of Exploits
—Blended Threat
—A sophisticated threat that combines the features of a virus,
worm, Trojan horse, and other malicious code into a single
payload
—Might use server and Internet vulnerabilities to initiate and then
transmit and spread an attack using EXE files, HTML files, and
registry keys
—Spam
—The use of email systems to send unsolicited email to large
 —Spam
—The use of email systems to send unsolicited email to large
numbers of people
—Also an inexpensive method of marketing used by many
legitimate organizations
—Controlling the Assault of Non-Solicited Pornography and
Marketing (CAN-SPAM) Act states that it is legal to spam,
provided the messages meet a few basic requirements
—Spammers cannot disguise their identity by using a false return
address
—The email must include a label specifying that it is an ad or a
solicitation
—The email must include a way for recipients to opt out of future
mass mailings
17 Types of Exploits
—Spam (cont’d)
—CAPTCHA (Completely Automated Public Turing Test to Tell
Computers and Humans Apart) software generates and grades
tests that humans can pass and all but the most sophisticated
computer programs cannot
18 Types of Exploits
—Distributed Denial-of-Service Attacks
—An attack in which a malicious hacker takes over computers via
the Internet and causes them to flood a target site with demands
for data and other small tasks
—Keeps target so busy responding to requests that legitimate users
cannot get in
—Botnet
—A large group of computers, controlled from one or more remote
locations by hackers, without the consent of their owners
—Sometimes called zombies
—Frequently used to distribute spam and malicious code

19 Types of Exploits
20 Types of Exploits
—Rootkit
—A set of programs that enables its user to gain administrator-level
access to a computer without the end user’s consent or
knowledge
—Attackers can use the rootkit to execute files, access logs,
monitor user activity, and change the computer’s configuration

21
20

—Attackers can use the rootkit to execute files, access logs,

monitor user activity, and change the computer’s configuration
—Symptoms of rootkit infections:
—Computer locks up or fails to respond to input from the keyboard
—Screen saver changes without any action on the part of the user
—Taskbar disappears
—Network activities function extremely slow
21 Types of Exploits
—Advanced Persistent Threat
—APT is a network attack in which an intruder gains access to a
network and stays undetected with the intention of stealing data
over a long period of time
—An APT attack advances through the following five phases:
—Reconnaissance
—Incursion
—Discovery
—Capture
—Export
—Detecting anomalies in outbound data is the best way for
administrators to discover that the network has been the target of
an APT attack
22 Types of Exploits
—Phishing
—The act of fraudulently using email to try to get the recipient to
reveal personal data
—Con artists send legitimate-looking emails urging recipients to
take action to avoid a negative consequence or to receive a
reward
—Spear-phishing is a variation of phishing where fraudulent emails
are sent to a certain organization’s employees
—Much more precise and narrow
—Designed to look like they came from high-level executives
within organization
23 Types of Exploits
24 Types of Exploits
—Smishing and Vishing
—Smishing is a variation of phishing that involves the use of texting
—Vishing is similar to smishing except the victims receive a voice
mail message telling them to call a phone number or access a
Web site
24

mail message telling them to call a phone number or access a

Web site
—Identity Theft
—The theft of personal information and then used without their
permission
—Data breach is the unintended release of sensitive data or the
access of sensitive data by unauthorized individuals
—Often results in identity theft
—Most e-commerce Web sites use some form of encryption
technology to protect information as it comes from the consumer
25 Types of Exploits
—Cyberespionage
—Involves the development of malware that secretly steals data in
the computer systems of organizations, such as government
agencies, military contractors, political organizations, and
manufacturing firms
—Mostly targeted toward high-value data such as the following:
—Sales, marketing, and new product development plans,
schedules, and budgets
—Details about product designs and innovative processes
—Employee personal information
—Customer and client data
—Sensitive information about partners and partner agreements
26 Types of Exploits
—Cyberterrorism
—The intimidation of government of civilian population by using
information technology to disable critical national infrastructure to
achieve political, religious, or ideological goals
—Department of Homeland Security (DHS) provides a link that
enables users to report cyber incidents
—Incident reports go to the U.S. Computer Emergency Readiness
Team (US-CERT)
—In NZ, the GCSB has authority over cyberterrorism.
—Cyberterrorists try daily to gain unauthorized access to a number
of important and sensitive sites
27 Information Security Law
“The more laws, the less justice”

Cicero
28
27

Cicero
28 Information Security and The Law
—Most countries have a legal framework that supports some level of
information security, especially in the developed world.
—However, it is not wise to rely on the law or the State to secure
information resources.
—Laws don’t prevent the bad guys from doing bad things, and the
State typically becomes involved only after a crime has been
committed.
—Laws are only effective if they are enforced.
—The Roman statesman and philosopher Cicero once said, “The
more laws, the less justice”.
—Companies take responsibility for their own information security.
—Likewise, individuals should take responsibility for their own
information security.
29 Federal Laws for Prosecuting Computer Attacks
30 Risk
“It's a dangerous business, Frodo, going out your door.”

J. R. R. Tolkien
31 Risk: good or bad?
—Risk is not only ever-present, but also necessary for successful
business.
—Since, by definition, something that is risk-free is guaranteed to be
successful, a strong argument may be made that anything worth
doing, must be risky.
—If value is related to scarcity, then risk also contributes to value.
—If something is not risky, then there will be an abundance of it, and
it will not have much value.
—If something is risky, it will be scarce, and therefore, valuable.
—Risk cannot be eliminated.
—Since risk contributes to value, it should be managed, like any other
resource that contributes to value.
—An argument may also be made that risk and value are
complementary aspects of the same thing.

32 How is risk managed?

—Risk is the likelihood of an adverse occurrence.
—Management cannot manage threats directly, but can limit
security consequences by creating a backup-processing facility at
32

—Management cannot manage threats directly, but can limit

security consequences by creating a backup-processing facility at
a remote location.
—Companies can reduce risks, but always at a cost. It is
management's responsibility to decide how much to spend, or
stated differently, how much risk to assume.
—Uncertainty refers to lack of knowledge, especially about chance of
occurrence or risk of an outcome or event.
—An earthquake could devastate a corporate data centre built on a
fault that no one knew about.
—An employee finds a way to steal inventory using a hole in the
corporate website that no expert knew existed.
—
33 Implementing Secure, Private, Reliable Computing
—A strong security program begins by
—Assessing threats to the organization’s computers and network
—Identifying actions that address the most serious vulnerabilities
—Educating users about the risks involved and the actions they
must take to prevent a security incident
—If an intrusion occurs, there must be a clear reaction plan that
addresses:
—Notification
—Evidence protection
—Activity log maintenance
—Containment
—Eradication
—Recovery
34 Risk Assessment
—Risk assessment
—The process of assessing security-related risks to an
organization’s computer and networks form both internal and
external threats
—Steps in a general risk assessment process are:
—Identify the set of IS assets about which the organization is most
concerned
—Identify the loss events or the risks or threats that could occur
—Assess the frequency of events or the likelihood of each potential
threat
—Determine the impact of each threat occurring
—Determine how each threat can be mitigated so it is less likely to
occur

35
 —Determine how each threat can be mitigated so it is less likely to
occur
—Assess the feasibility of implementing the mitigation options
—Perform a cost-benefit analysis to ensure that your efforts will be
cost effective
—Make the decision on whether or not to implement a particular
countermeasure
35 Risk Assessment
36 Information Security Governance and Policy
37 Establishing a Security Policy
Security policy has three elements.
— Enterprise Information Security Policy (EISP): A general statement
of organisation's security programme. This statement becomes the
foundation for more specific security measures.
— Management specifies the goals of security programme and the
assets to be protected.
— Statement designates a department for managing security
programme and documents. In general terms, it specifies how the
organisation will ensure enforcement of security programmes and
policies.
— Issue-Specific Security Policy (ISSP): e.g. Personal use of
computers at work and email privacy.
— System-Specific Security Policy (SSSP): e.g. what customer data
from order-entry system will be sold or shared with other
organisations? Or, what policies govern the design and operation
of systems that process employee data? Addressing such policies
is part of standard systems development process.
38 Security Education, Training, and Awareness Program (SETA)
—Once general security policy exists, implement a security
education, training, and awareness (SETA) program
—SETA is a control measure designed to reduce accidental security
breaches.
—The SETA program consists of security education, security training,
and security awareness.
—Enhances security by improving awareness, developing skills, and
knowledge, and building in-depth knowledge
39 Security Education
—Everyone in an organization needs to be trained and aware of
information security; not every member needs a formal degree or
certificate in information security.
—When formal education is deemed appropriate, an employee can

40
39

certificate in information security.

—When formal education is deemed appropriate, an employee can
investigate courses in continuing education from local institutions of
higher learning.
—A number of universities have formal coursework in information
security.
40 Security Training
—Provides members of the organization with detailed information and
hands-on instruction to prepare them to perform their duties
securely
—Management of information security can develop customized in-
house training or outsource the training program.
—Alternatives to formal training include conferences and programs
offered through professional organizations.
41 Security Awareness
—One of the least frequently implemented but most beneficial
programs is the security awareness program.
—Designed to keep information security at the forefront of users’
minds
—Need not be complicated or expensive
—If the program is not actively implemented, employees may begin to
neglect security matters, and risk of employee accidents and
failures are likely to increase.
42 Educating Employees and Contract Workers
43 Prevention
—Organizations should implement a layered security solution to
make computer break-ins so difficult that an attacker gives up
—If an attacker breaks through one layer, another layer must then
be overcome
—Layers of protective measures are explain in more detail in the
following sections
44 Implementing a Corporate Firewall
—Firewall
—A system of software, hardware, or a combination of both that
stands guard between an organization’s internal network and the
Internet and limits network access based on the organization’s
access policy
—Next-generation firewall (NGFW)
—A hardware- or software-based network security system that is
able to detect and block sophisticated attacks by filtering network

45
 —A hardware- or software-based network security system that is
able to detect and block sophisticated attacks by filtering network
traffic dependent on the packet contents
—Goes deeper to inspect the payload of packets and match
sequences of bytes for harmful activities
45 Utilizing a Security Dashboard
—Security dashboard software provides a comprehensive display of
all vital data related to an organization’s security defenses
46 Installing Antivirus Software on Personal Computers
—Antivirus software
—Scans for specific sequence of bytes, known as a virus signature,
that indicates the presence of a specific virus
—If virus is found
—Antivirus software informs the user and may clean, delete, or
quarantine any files, directories, or disks affected by the malicious
code
—It is crucial that antivirus software be continually updated with the
latest virus signatures
47 Implementing Safeguards against Attacks by Malicious Insiders
—User accounts that remain active after employees leave a company
are a potential security risk
—IS staff must promptly delete computer accounts, login IDs, and
passwords of departing employees
—Another safeguard
—Create roles and user accounts so that users have the authority
to perform their responsibilities and nothing more
48 Addressing the Most Critical Internet Security Threats
—Computer attackers
—Know that many organizations are slow to fix problems
—Scan the Internet for vulnerable systems
—US-CERT regularly updates a summary of the most frequent, high-
impact vulnerabilities being reported
—Find it at www.us-cert.gov/current
—Actions required to address these issues include installing a known
patch to the software
—And keeping applications and OSs up-to-date
49 Conducting Periodic IT Security Audits
—Security audit
—Evaluates whether an organization has well-considered security
policy in place and if it is being followed
49

—Evaluates whether an organization has well-considered security

policy in place and if it is being followed
—The audit should
—Review who has access to particular systems and data and what
level of authority each user has
—Test system safeguards to ensure that they are operating as
intended
—Some organizations also perform a penetration test
—Individuals try to break through the measures and identify
vulnerabilities
50 Detection
—Intrusion detection system (IDS)
—Software and/or hardware that monitors system and network
resources and activities
—Notifies network security personnel when it detects network traffic
that attempts to circumvent the security measures of a networked
computer environment
—Knowledge-based IDS
—Contain information about specific attacks and system
vulnerabilities
—Behavior-based IDS
—Models normal behavior of a system and its user from reference
information collected by various means
51 Detection
52 Response
—A response plan should be developed well in advance of any
incident
—Should be approved by the organization’s legal department and
senior management
—A well-developed response plan helps keep an incident under
technical and emotional control
—In a security incident, the primary goal must be to:
—Regain control and limit damage, not to attempt to monitor or
catch an intruder
53 Incident Notification
—Key element of a response plan is to
—Define who to notify and who not to notify in the event of a
security incident
—Questions to cover:
—Within the company, who needs to be notified, and what
53

—Questions to cover:
—Within the company, who needs to be notified, and what
information does each person need to have?
—Under what conditions should the company contact major
customers and suppliers?
—How does the company inform them of a disruption in business
without unnecessarily alarming them?
—When should local authorities or the FBI be contacted?
—A critical ethical question:
—What to tell customers and others whose personal data may have
been compromised?
54 Protection of Evidence and Activity Logs
—Organizations should document all details of a security incident as
it works to resolve the incident
—Documentation captures valuable evidence for a future prosecution
—And provides data to help during the incident eradication and
follow-up phases
—Organizations should establish a set of document-handling
procedures using the legal department as a resource
55 Incident Containment
—The incident response plan should clearly define the process for
deciding if an attack is dangerous enough to warrant shutting down
or disconnecting critical systems from the network
—Elements of an effective response plan:
—How decisions for shutting down systems is made
—How fast those decisions are made
—Who makes them
56 Eradication
—Before eradication, the IT security group must:
—Collect and log all possible criminal evidence from the system
—Verify that all necessary backups are current, complete, and free
of any malware
—Create a forensic disk image of each compromised system
—After eradication, a new backup must be created
—A log should be kept of all actions taken
—All backups should be created with enough frequency to enable a
full and quick restoration of data
—If an attack destroys the original
—
57
 —
57 Incident Follow-Up
—Follow-up should include:
—Determining how the organization’s security was compromised
—A review to determine exactly what happened and to evaluate
how the organization responded
—A detailed chronology of all events
—An estimate of the monetary damage
—A decision on how much effort should be put into capturing the
perpetrator
—A decision on whether it has an ethical or a legal duty to inform
customers or clients of a cyber attack
58 Using a Managed Security Service Provider (MSSP)
—Managed Security Service Provider (MSSP)
—A company that monitors, manages, and maintains computer and
network security for other organizations
—Includes companies such as AT&T, Computer Sciences
Corporation, Dell SecureWorks, IBM, Symantec, and Verizon
—Some MSSPs provide vulnerability scanning and Web blocking and
filtering capabilities
59 Computer Forensics
—Computer Forensics
—A discipline that combines elements of law and computer science
to identify, collect, examine, and preserve data from computer
systems, networks, and storage devices in a manner that
preserves the integrity of the data gathered
—Computer forensics investigators work as a team to investigate an
incident and conduct the forensic analysis
—Proper handling of computer forensics investigation is the key to
fighting computer crime successfully in a court of law
—Numerous certifications exist:
—CCE (Certified Computer Examiner), CISSP (Certified Information
Systems Security Professional), CSFA (CyberSecurity Forensic
Analyst), and GCFA (Global Information Assurance Certification
Certified Forensic Analyst)
60 Computer Forensics
61 Computer Forensics
62 Summary
—Computer crime is a serious and rapidly growing area of concern
requiring management attention
—Computer crime is a serious and rapidly growing area of concern
requiring management attention
—Organizations must take strong measures to ensure secure,
private, and reliable computing experiences for their employees,
customers, and business partners